IETF Logo Mail Archive

Re: [dmarc-ietf] Errors in the tree walk, was version bump to DMARC2

Alessandro Vesely <vesely@tana.it> Sat, 10 June 2023 17:59 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90AEDC15256E for <dmarc@ietfa.amsl.com>; Sat, 10 Jun 2023 10:59:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b="WtxcUtP5"; dkim=pass (1152-bit key) header.d=tana.it header.b="AdwtAMdX"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DHHlaqyPAXKh for <dmarc@ietfa.amsl.com>; Sat, 10 Jun 2023 10:58:59 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [94.198.96.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92EBEC1522D3 for <dmarc@ietf.org>; Sat, 10 Jun 2023 10:58:58 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1686419935; bh=14WJ7cD4u8WGq0oy1Kip1n2ExHrYGmhTTEai913GoAo=; h=Author:Date:Subject:To:References:From:In-Reply-To; b=WtxcUtP5yZ0b5hzSEOznY107m2r63mo12feYbkYBpBIV6vNOWBtlivB8seHVMFA5M d7h2LDSryqeDPIQxJtbCg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1686419935; bh=14WJ7cD4u8WGq0oy1Kip1n2ExHrYGmhTTEai913GoAo=; h=Date:Subject:To:References:From:In-Reply-To; b=AdwtAMdX4AXmV50KeM/wiRnh9mvdzJADKUDlI7jffbBxE3LOu0sFXntEE92YQyZ0k XeJ3YAaOLXIxqRfv7ngffM9tAVrKmB8tT/GsQTlrg0lsJtAbw4jSBO/1SgHy+9p4Zx iLWigxIjvGlCo9KpEfweA3JE3QUTHZopY769K3lnq4FA7lxcd/qtAo6Hhiyiq
Original-Subject: Re: [dmarc-ietf] Errors in the tree walk, was version bump to DMARC2
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC05B.000000006484B9DE.00003452; Sat, 10 Jun 2023 19:58:54 +0200
Message-ID: <ef642e9a-5c44-3ef1-4012-c5a588d0a08e@tana.it>
Date: Sat, 10 Jun 2023 19:58:54 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0
Content-Language: en-US, it-IT
To: dmarc@ietf.org
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <20230608162112.5903CE7035F3@ary.local> <CABZJ8kkSAf3V0ccNAQn0ntPH+nOyTB6Jqj=fU+Pt4Ga5RByMDA@mail.gmail.com>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <CABZJ8kkSAf3V0ccNAQn0ntPH+nOyTB6Jqj=fU+Pt4Ga5RByMDA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Dpq6fMR_HWWwUrwE_ghMTZPvT0g>
Subject: Re: [dmarc-ietf] Errors in the tree walk, was version bump to DMARC2
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Jun 2023 17:59:08 -0000

On Sat 10/Jun/2023 01:26:18 +0200 Emil Gustafsson wrote:
> 
> Without a version change for the tree-walk, I think we (Google) would need to 
> support both approaches (the old one plus the tree-walk) and based on what we 
> see - make a best guess which version we should use.


I haven't coded the tree walk yet, but I'm thinking to do the same.


> Having two explicit versions still means we have two implementations, but at 
> least we don't have to guess which one to use whenever there would be ambiguity 
> with a single version.


Why two versions?  Tree walk can be supported while still checking it against 
the PSL in the same version of the verifier.  One point, for example is the 
lack of psd=y tags in the critical domains.

In this respect, I propose to report the most striking configuration errors in 
DMARC aggregate reports.  In fact, RFCs 6651 and 6652 have seen very little 
adoption; ruf= a little bit more, but still much less than DMARC aggregate reports.

Errors like missing psd=, invalid SPF record, invalid or missing DKIM record, 
and similar could be added in the report header, e.g. after <policy_published>, 
in case relevant errors are seen.  Maybe that could improve settings...


Best
Ale
--

v2.23.0 | Report a Bug | By Email